Boarding pass scanners now at TSA checkpoints

[David Farber <dave () farber net>]

Begin forwarded message:

From: Matt Blaze <mab () crypto com>
Date: September 18, 2009 11:20:45 PM EDT
To: David Farber <dave () farber net>
Subject: Boarding pass scanners now at TSA checkpoints

For IP if you'd like.

Yesterday at the Philadelphia airport, I noticed something new at the  
security checkpoint: the TSA ID checker had a boarding pass scanner  
along with the usual UV flashlight and magnifying glass.  The scanner  
didn't seem to be in use yet, but others have told me that they have  
had their boarding passes scanned by the TSA at security checkpoints  
at various airports this week.

The scanners verify that the boarding pass is valid (presumably with a  
database lookup into the airline reservation record) and display the  
passenger name as reflected in the record.  The devices are apparently  
a countermeasure against the "anonymous flyer" technique first  
described by Bruce Schneier in 2003 in which a traveler creates a fake  
boarding pass with her true name for use at the security checkpoint, but
uses a real boarding pass with a fake name to actually board his or  
her flight.  You may recall the furor a couple years ago when Chris  
Soghoian made available a do-it-yourself counterfeit boarding pass  
generator to demonstrate the exploit.  But aside from hassling Mr.  
Soghoian, the TSA never actually fixed their procedures to prevent the  
attack, however "dangerous" anonymous flying might actually be.

So the new scanners are intended to, years later, to close this  
loophole.  But the problem is, they don't actually prevent anonymous  
flying.  The exploit requires a slight adjustment, but the bottom line  
is that it's still as easy as ever for a bad guy to get on a plane  
without the government knowing his or her true name.  But now the TSA  
has a bunch of fancy new scanners at their checkpoints, paid for by  
you and me, with little actual gain in security

It feels almost unsporting to criticize the TSA these days, an agency  
whose popularity seems to lie somewhere between that of the IRS and Al  
Queda.  But this ineffective patch of a security vulnerability is  
symptomatic of larger problems with our approach to aviation  
security.   Depending on strong ID checks of airline passengers is an  
ill-conceived response to an ill-defined threat in the first place,  
but what more can we expect given the pressure on officials to do  
*something*, where progress is measured only by perception.

Anyway, I blog a bit more about the new scanners and the obvious way  
to defeat them at
 http://www.crypto.com/blog/patching_the_TSA/

-matt





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com